The law on data protection applies universally to all organisations and business sectors, and the pharmaceutical industry is no exception. The UK Data Protection Act (DPA) 1998 was based on the European Union (EU) Data Protection Directive 1995 (Directive 95/46/EC) and regulates the way in which personal data must be processed by organisations. It provides the right of the data subject to be informed when his/her data is being processed. In 2013, the Association of the British Pharmaceutical Industry (ABPI) Pharmacovigilance Expert Network (PEN) group, together with PIPA and pvlegal (a membership-based forum organisation for in-house counsel and compliance personnel), put together “Guidance notes on UK data protection in post-marketing pharmacovigilance”, to help companies meet their data protection obligations under the UK Data Protection Act 1998.

A new EU General Data Protection Regulation (EU No. 2016/679) (known as GDPR) was adopted in May 2016, and came into force from 25 May 2018 to reform Directive 95/46/EC. On 23 May 2018, the UK Data Protection Act 2018 received Royal Assent and its main provisions came into force on 25 May 2018. The new Act brings the GDPR requirements into UK law and extends it to cover legal areas for which the EU does not have oversight. It will remain in force even after the UK leaves the EU.

The GDPR aims to strengthen the protection of personal data of all individuals living in the EU. It applies to all companies within the EU and those outside the EU who process personal data of EU subjects. This increase in territorial scope is just one of the ways in which GDPR supersedes the Data Protection Directive that has been in place for over 20 years.